Explore top 10 tips to secure your open-source projects now. Read More
×Update to latest 7.7.x release available, a security release. Includes fixes for VSV00017 aka CVE-2025-8671, aAdded patches for for VSV00018 aka CVE-2026-34475, added patches for for VSV00019.. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-7f36ec4c65 2026-07-01 01:21:48.846180+00:00 -------------------------------------------------------------------------------- Name : varnish Product : Fedora 43 Version : 7.7.3 Release : 2.fc43 URL : https://www.varnish-cache.org/ Summary : High-performance HTTP accelerator Description : This is Varnish Cache, a high-performance HTTP accelerator. Varnish Cache stores web pages in memory so web servers don’t have to create the same web page over and over again. Varnish Cache serves pages much faster than any application server; giving the website a significant speed up. Documentation wiki and additional information about Varnish Cache is available on: https://www.varnish-cache.org/ -------------------------------------------------------------------------------- Update Information: Update to latest 7.7.x release available, a security release. Includes fixes for VSV00017 aka CVE-2025-8671, aAdded patches for for VSV00018 aka CVE-2026-34475, added patches for for VSV00019. -------------------------------------------------------------------------------- ChangeLog: * Mon Jun 15 2026 Ingvar Hagelund - 7.7.3-2 - Update to latest 7.7.x release available, a security release - Includes fixes for VSV00017 aka CVE-2025-8671 - Added patches for for VSV00018 aka CVE-2026-34475 - Added patches for for VSV00019 * Fri Jul 25 2025 Luboš Uhliarik - 7.7.1-4 - bundle jemalloc in RHEL * Fri Jul 25 2025 Fedora Release Engineering - 7.7.1-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild * Thu May 22 2025 Ingvar Hagelund - 7.7.1-2 - Correct ABI and VRT versions - Pulled el7 support - Use systemd setup for users * Tue May 20 2025 Luboš Uhliarik - 7.7.1-1 -new version 7.7.1 * Thu Mar 27 2025 Ingvar Hagelund - 7.7.0-2 - Fix for eln build (merged from yselkowitz) - Fix for failing h2 switch check. Enabling full test suite again * Mon Mar 24 2025 Ingvar Hagelund - 7.7.0-1 - New upstream release - fedora now has completed the bin/sbin merge * Sun Jan 19 2025 Fedora Release Engineering - 7.6.1-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild * Mon Dec 2 2024 Ingvar Hagelund - 7.6.1-1 - New upstream release * Mon Sep 16 2024 Ingvar Hagelund - 7.6.0-1 - New upstream release - Updated checkout of pkg-varnish * Sat Jul 20 2024 Fedora Release Engineering - 7.5.0-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-7f36ec4c65' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- . Latest Fedora 43 Varnish security release fixes critical issues revealed in multiple CVEs to enhance performance and reliability.. Varnish Cache update, Fedora 43 security release, HTTP accelerator security, CVE-2025-8671 fixes, security advisories. . Severity: Important. LinuxSecurity.com Team
New upstream release varnish-8.0.2, a security release. Includes fix for VSV00019. Dependent packages are included in this update.. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-2148c0e80b 2026-06-13 01:09:32.029605+00:00 -------------------------------------------------------------------------------- Name : varnish-modules Product : Fedora 44 Version : 0.27.0 Release : 4.fc44 URL : https://github.com/varnish/varnish-modules Summary : A collection of modules ("vmods") extending Varnish VCL Description : This is a collection of modules ("vmods") extending Varnish VCL used for describing HTTP request/response policies with additional capabilities. This collection contains the following vmods: bodyaccess, header, saintmode, tcp, var, vsthrottle, xkey -------------------------------------------------------------------------------- Update Information: New upstream release varnish-8.0.2, a security release. Includes fix for VSV00019. Dependent packages are included in this update. -------------------------------------------------------------------------------- ChangeLog: * Tue May 26 2026 Ingvar Hagelund - 0.27.0-4 - Rebuilt for varnish-8.0.2 * Sun May 17 2026 Ingvar Hagelund - 0.27.0-3 - Rebuilt for varnish-8.0.1 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-2148c0e80b' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
New upstream release varnish-8.0.2, a security release. Includes fix for VSV00019. Dependent packages are included in this update.. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-2148c0e80b 2026-06-13 01:09:32.029605+00:00 -------------------------------------------------------------------------------- Name : varnish Product : Fedora 44 Version : 8.0.2 Release : 1.fc44 URL : https://www.varnish-cache.org/ Summary : High-performance HTTP accelerator Description : This is Varnish Cache, a high-performance HTTP accelerator. Varnish Cache stores web pages in memory so web servers don’t have to create the same web page over and over again. Varnish Cache serves pages much faster than any application server; giving the website a significant speed up. Documentation wiki and additional information about Varnish Cache is available on: https://www.varnish-cache.org/ -------------------------------------------------------------------------------- Update Information: New upstream release varnish-8.0.2, a security release. Includes fix for VSV00019. Dependent packages are included in this update. -------------------------------------------------------------------------------- ChangeLog: * Tue May 26 2026 Ingvar Hagelund - 8.0.2-1 - New upstream release: A security release - Includes fix for VSV00019 * Sun May 17 2026 Ingvar Hagelund - 8.0.1-1 - New upstream release: A security relase - Includes fix for VSV00018, CVE-2026-34475 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-2148c0e80b' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be foundat https://fedoraproject.org/keys -------------------------------------------------------------------------------- . Upgrade to Varnish 8.0.2 on Fedora 44 for a critical security fix addressing VSV00019 with improved performance.. Fedora 44 Varnish Update, HTTP Accelerator Security Fix, Varnish Cache Upgrade. . Severity: Important. LinuxSecurity.com Team
MGASA-2025-0239 - Updated varnish & lighttpd packages fix security vulnerability. MGASA-2025-0239 - Updated varnish & lighttpd packages fix security vulnerability Publication date: 17 Oct 2025 URL: https://advisories.mageia.org/MGASA-2025-0239.html Type: security Affected Mageia releases: 9 CVE: CVE-2025-8671 Description: It was discovered that a denial of service attack can be performed on cache servers that have the HTTP/2 protocol turned on. An attacker can create a large number of streams and immediately reset them without ever reaching the maximum number of concurrent streams allowed for the session, causing the server to consume unnecessary resources processing requests for which the response will not be delivered (CVE-2025-8671). References: - https://bugs.mageia.org/show_bug.cgi?id=34587 - https://www.openwall.com/lists/oss-security/2025/08/13/6 - https://www.openwall.com/lists/oss-security/2025/08/16/1 - https://www.cve.org/CVERecord?id=CVE-2025-8671 SRPMS: - 9/core/varnish-7.7.3-1.mga9 - 9/core/lighttpd-1.4.80-1.3.mga9 . The Mageia security advisory highlights a critical DoS issue in Varnish affecting Mageia 9, requiring prompt action.. CVE-2025-8671,Varnish Security,Denial of Service,Mageia Advisory. . Severity: Important. LinuxSecurity.com Team
Security: This update includes fixes for CVE-2025-47905 aka VSV00016: A client- side desync vulnerability can be triggered in Varnish Cache. This vulnerability can be triggered under specific circumstances involving malformed HTTP/1 chunked requests.. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2025-525d870026 2025-08-08 00:53:07.923873+00:00 -------------------------------------------------------------------------------- Name : varnish Product : Fedora 42 Version : 7.6.1 Release : 6.fc42 URL : https://vinyl-cache.org/ Summary : High-performance HTTP accelerator Description : This is Varnish Cache, a high-performance HTTP accelerator. Varnish Cache stores web pages in memory so web servers don\u2019t have to create the same web page over and over again. Varnish Cache serves pages much faster than any application server; giving the website a significant speed up. Documentation wiki and additional information about Varnish Cache is available on: https://vinyl-cache.org/ -------------------------------------------------------------------------------- Update Information: Security: This update includes fixes for CVE-2025-47905 aka VSV00016: A client- side desync vulnerability can be triggered in Varnish Cache. This vulnerability can be triggered under specific circumstances involving malformed HTTP/1 chunked requests. -------------------------------------------------------------------------------- ChangeLog: * Wed Jul 30 2025 Ingvar Hagelund - 7.6.1-6 - Added security patch for VSV00016 aka CVE-2025-47905, rhbz#2369404 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2369404 - CVE-2025-47905 varnish: request smuggling attacks [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2369404 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c'dnf upgrade --advisory FEDORA-2025-525d870026' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- . Mitigation for CVE-2025-47905 enhancing Varnish Cache's resilience to potential client-side desynchronization risks.. Varnish Cache, security update, Fedora 42, CVE-2025-47905. . LinuxSecurity.com Team
An update that fixes four vulnerabilities is now available. . openSUSE Security Update: Security update for varnish ______________________________________________________________________________ Announcement ID: openSUSE-SU-2025:0179-1 Rating: important References: #1216123 #1221942 #1239892 Cross-References: CVE-2013-4484 CVE-2023-44487 CVE-2024-30156 CVE-2025-30346 CVSS scores: CVE-2023-44487 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: openSUSE Backports SLE-15-SP6 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for varnish fixes the following issues: - Update to release 7.7.1 * VSV-16: Resolve request smuggling attack - Update to release 7.7.0 * The `linux` jail gained control of transparent huge pages settings. * An issue has been fixed which could cause a crash when varnishd receives an invalid Content-Range header from a backend. * Timestamping for HTTP/2 requests (when idle period begins) has been switched to be more in line with HTTP/1. * VSV-15: The client connection is now always closed when a malformed request is received. [CVE-2025-30346, boo#1239892] - Update to release 7.6.0 * The Varnish Delivery Processor (VDP) filter API has been generalized to also accommodate future use for backend request bodies. * VDPs with no vdp_bytes_f function are now supported if the vdp_init_f returns a value greater than zero to signify that the filter is not to be added to the chain. This is useful to support VDPs which only need to work on headers. * The epoll and kqueue waiters have been improved to correctly report WAITER_REMCLOSE, which increases the WAITER.*.remclose counter. * varnishtest now supports the shutdown command corresponding to the shutdown(2) standard C library call. * VSC counters for waiters have been added: * conns to count waits on idle connections * remclose to count idle connections closed by the peer * timeout to count idle connections which timed out in the waiter * action to count idle connections which resulted in a read * The port of a listen_endpoint given with the -a argument to varnishd can now also be a numerical port range like "80-89". * The warning "mlock() of VSM failed" message is now emitted when locking of shared memory segments (via mlock(2)) fails. * A bug has been fixed where string comparisons in VCL could fail with the nonsensical error message "Comparison of different types: STRING '==' STRING". * An issue has been addressed in the builtin.vcl where backend responses would fail if they contained a Content-Range header when no range was requested. * Additional SessError VSL events are now generated for various HTTP/2 protocol errors. * A new Linux jail has been added which is now the default on Linux. For now, it is almost identical to the Unix jail with one addition: * When the new Linux jail is used, the working directory not mounted on tmpfs partition. * A race condition with VCL temperature transitions has been addressed. * Internal management of probes has been reworked to address race conditions. * Backend tasks can now be instructed to queue if the backend has reached its max_connections. * The size of the buffer to hold panic messages is now tunable through the new panic_buffer parameter. * The Varnish Shared Memory (VSM) and Varnish Shared Counters (VSC) consumer implementation in libvarnishapi have been improved for stability and performance. * An issue has been fixed where Varnish Shared Log (VSL) queries (for example using ``varnishlog -q``) with numerical values would fail in unexpectedways due to truncation. * The ``ObjWaitExtend()`` Object API function gained a statep argument to optionally return the busy object state consistent with the current extension. A NULL value may be passed if the caller does not require it. * For backends using the ``.via`` attribute to connect through a proxy, the connect_timeout, ``first_byte_timeout`` and ``between_bytes_timeout`` attributes are now inherited from proxy unless explicitly given. * varnishd now creates a worker_tmpdir which can be used by VMODs for temporary files. The VMOD developer documentation has details. * The environment variable VARNISH_DEFAULT_N now provides the default "varnish name" / "workdir" as otherwise specified by the ``-n`` argument to varnishd and varnish* utilities except varnishtest. * A glitch with TTL comparisons has been fixed which could, for example, lead to unexpected behavior with purge.soft(). - Update to release 7.5.0 * Resolved CVE-2023-44487, CVE-2024-30156 [boo#1221942] * The default value of cli_limit has been increased from 48KB to 64KB. * A new ``pipe_task_deadline`` directive specifies the maximum duration of a pipe transaction. * All the timeout parameters that can be disabled accept the "never" value. * Added parameters to control the HTTP/2 Rapid Reset attach. - update to 7.4.2 (boo#1216123, CVE-2023-44487): * The ``vcl_req_reset`` feature (controllable through the ``feature`` parameter, see `varnishd(1)`) has been added and enabled by default to terminate client side VCL processing early when the client is gone. *req_reset* events trigger a VCL failure and are reported to `vsl(7)` as ``Timestamp: Reset`` and accounted to ``main.req_reset`` in `vsc` as visible through ``varnishstat(1)``. In particular, this feature is used to reduce resource consumption of HTTP/2 "rapid reset" attacks (see below). Note that*req_reset* events may lead to client tasks for which no VCL is called ever. Presumably, this is thus the first time that valid `vcl(7)` client transactions may not contain any ``VCL_call`` records. * Added mitigation options and visibility for HTTP/2 "rapid reset" attacks Global rate limit controls have been added as parameters, which can be overridden per HTTP/2 session from VCL using the new vmod ``h2``: * The ``h2_rapid_reset`` parameter and ``h2.rapid_reset()`` function define a threshold duration for an ``RST_STREAM`` to be classified as "rapid": If an ``RST_STREAM`` frame is parsed sooner than this duration after a ``HEADERS`` frame, it is accounted against the rate limit described below. * The ``h2_rapid_reset_limit`` parameter and ``h2.rapid_reset_limit()`` function define how many "rapid" resets may be received during the time span defined by the ``h2_rapid_reset_period`` parameter / ``h2.rapid_reset_period()`` function before the HTTP/2 connection is forcibly closed with a ``GOAWAY`` and all ongoing VCL client tasks of the connection are aborted. The defaults are 100 and 60 seconds, corresponding to an allowance of 100 "rapid" resets per minute. * The ``h2.rapid_reset_budget()`` function can be used to query the number of currently allowed "rapid" resets. * Sessions closed due to rapid reset rate limiting are reported as ``SessClose RAPID_RESET`` in `vsl(7)` and accounted to ``main.sc_rapid_reset`` in `vsc` as visible through ``varnishstat(1)``. * The ``cli_limit`` parameter default has been increased from 48KB to 64KB. * ``VSUB_closefrom()`` now falls back to the base implementation not only if ``close_range()`` was determined to be unusable at compile time, but also at run time. That is to say, even if ``close_range()`` is compiled in, thefallback to the naive implementation remains. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP6: zypper in -t patch openSUSE-2025-179=1 Package List: - openSUSE Backports SLE-15-SP6 (aarch64 i586 ppc64le s390x x86_64): libvarnishapi3-7.7.1-bp156.2.3.1 varnish-7.7.1-bp156.2.3.1 varnish-devel-7.7.1-bp156.2.3.1 References: https://www.suse.com/security/cve/CVE-2013-4484.html https://www.suse.com/security/cve/CVE-2023-44487.html https://www.suse.com/security/cve/CVE-2024-30156.html https://www.suse.com/security/cve/CVE-2025-30346.html https://bugzilla.suse.com/1216123 https://bugzilla.suse.com/1221942 https://bugzilla.suse.com/1239892 . An essential security patch for Fedora tackles three significant vulnerabilities in Nginx to bolster overall system protection.. openSUSE update,varnish security,important fixes,openSUSE vulnerabilities. . Severity: Important. LinuxSecurity.com Team
The following updated rpms for Oracle Linux 10 have been uploaded to the Unbreakable Linux Network: . Oracle Linux Security Advisory ELSA-2025-8550 http://linux.oracle.com/errata/ELSA-2025-8550.html The following updated rpms for Oracle Linux 10 have been uploaded to the Unbreakable Linux Network: x86_64: varnish-7.6.1-2.el10_0.1.x86_64.rpm varnish-devel-7.6.1-2.el10_0.1.x86_64.rpm varnish-docs-7.6.1-2.el10_0.1.x86_64.rpm aarch64: varnish-7.6.1-2.el10_0.1.aarch64.rpm varnish-devel-7.6.1-2.el10_0.1.aarch64.rpm varnish-docs-7.6.1-2.el10_0.1.aarch64.rpm SRPMS: http://oss.oracle.com/ol10/SRPMS-updates/varnish-7.6.1-2.el10_0.1.src.rpm Related CVEs: CVE-2025-47905 Description of changes: [7.6.1-2.el10_0.1] - Resolves: RHEL-89691 - varnish: request smuggling attacks (CVE-2025-47905) _______________________________________________ El-errata mailing list
The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network: . Oracle Linux Security Advisory ELSA-2025-8336 http://linux.oracle.com/errata/ELSA-2025-8336.html The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network: x86_64: varnish-6.0.13-1.module+el8.10.0+90594+95ad0b53.1.x86_64.rpm varnish-devel-6.0.13-1.module+el8.10.0+90594+95ad0b53.1.x86_64.rpm varnish-docs-6.0.13-1.module+el8.10.0+90594+95ad0b53.1.x86_64.rpm varnish-modules-0.15.0-6.module+el8.10.0+90594+95ad0b53.x86_64.rpm aarch64: varnish-6.0.13-1.module+el8.10.0+90594+95ad0b53.1.aarch64.rpm varnish-devel-6.0.13-1.module+el8.10.0+90594+95ad0b53.1.aarch64.rpm varnish-docs-6.0.13-1.module+el8.10.0+90594+95ad0b53.1.aarch64.rpm varnish-modules-0.15.0-6.module+el8.10.0+90594+95ad0b53.aarch64.rpm SRPMS: http://oss.oracle.com/ol8/SRPMS-updates//varnish-6.0.13-1.module+el8.10.0+90594+95ad0b53.1.src.rpm http://oss.oracle.com/ol8/SRPMS-updates//varnish-modules-0.15.0-6.module+el8.10.0+90594+95ad0b53.src.rpm Related CVEs: CVE-2025-47905 Description of changes: varnish [6.0.13-1.1] - Resolves: RHEL-89695 - varnish: request smuggling attacks (CVE-2025-47905) varnish-modules _______________________________________________ El-errata mailing list
Get the latest Linux and open source security news straight to your inbox.